Intel® SGX Attestation Service Utilizing Enhanced Privacy ID (EPID)

For client-based (privacy focused) usages on PCs or workstations, a relying party/challenger accesses the Intel® SGX attestation service to submit attestation evidence for verification of SGX-enabled enclaves running as part of an application on a platform.

Intel SGX attestation service is a web service hosted and operated by Intel in a public cloud environment. The primary responsibility of Intel SGX attestation service is to verify attestation evidence submitted by relying parties. The Intel SGX attestation service is an Intel-managed service utilizeing Enhanced Privacy ID (EPID) provisioning, in which an Intel processor is given a unique signing key belonging to an EPID group. During attestation, the quote containing the processor’s provisioned EPID signature is validated, establishing that it was signed by a member of a valid EPID group. A commercial use license is required for any SGX application running in production mode accessing Intel SGX attestation service.

Enroll in Intel SGX Attestation Service

Subscribe now for access to the development environment where non-production Intel SGX enabled applications can test attestation functionality in debug mode prior to releasing to production. One of the key decisions when subscribing to the development enviornment of Intel SGX attesation service is the base chosen for the EPID signature, Random Base Mode or Name Base Mode. Additional background on EPID signature modes as well as provisioning and attestation services, please see this white paper.

API Documentation

Unlinkable Quotes (Random Base Mode)

Every signature gets a different random base, making the signatures unlinkable.

Verifying two signatures does not enable you to tell whether they were generated by the same or different signers.

Linkable Quotes (Name Base Mode)

A name is picked for the base to be used for a signature, making signatures linkable.

Verifying two signatures enables you to tell whether they were generated from the same or different signers.

Name Base Mode is preferred to protect against compromise.

Intel® Provisioning Certification Service for ECDSA Attestation

To learn about ECDSA attestation support for enterprise, data center, and cloud serivice providers, visit our Intel® SGX provisioning certification service page.